All you have to do to get infected is to visit a website with an infected file on it.
WHAT IS IT?
There is a new exploit out that uses WMF (windows metafile format) files to infect a computer. All you have to do to get infected is view a webpage that has the image on it, or access an infected image that is on your computer. That means the forums can be a vector for infection too. (In fact, user Blue Reptile has already been permabanned for putting the exploit in his signature.)
WHO IS VULNERABLE?
The exploit affects Firefox, Internet Explorer, and any other browser that displayes or downloads the file into the cache on the local machine. The file could also be a WMF renamed to any other image type, or possible other filetypes. Anything that puts the image exploit onto your computer or opens it up in windows fax viewer or the part of windows that generates thumbnails of WMF files is a vulnerability. This means any vector that puts the image onto your computer (wget, browser, email, IM, etc) can potentially cause the problem.
This affects anyone on Windows (98, 98SE, ME, 2000, XP, 2003). USING FIREFOX DOES NOT ELIMINATE THE RISK as the file is still downloaded to your cache in most cases, but it does reduce your chances somewhat since the image is often not displayed in the browser. But if you then interact with the file in any way (thumbnail it, Google Desktop, hover over with the mouse) that causes it to be handled by the windows subsystem responsible for WMF then you will have problems. Once again, YOU CAN BE CAUGHT BY THIS EXPLOIT EVEN IF THE IMAGE DOES NOT SHOW IN THE BROWSER. If you use Windows, your system is vulnerable.
WHAT DOES IT DO?
The exploit can be used to drop viruses, trojans, installers etc onto your computer when the exploit is activated (when the file is parsed by the part of windows with the problem). It does not do anything by itself until it is activated. There have been several reports of trojans being downloaded, which then download other things, other spyware, etc. Some of these are "SpyAxe", "AYL" trojan downloader, "ASC" trojan, and other stuff.
Here's a video of what this version is doing:
http://www.websensesecuritylabs.com/ima ... -movie.wmv
More information here:
http://forums.somethingawful.com/showth ... id=1759903
Windows WMF exploit
-
corncobman
- Posts: 304
- Joined: Fri Aug 08, 2003 7:00 am
Windows WMF exploit
-It is not the fall that kills you. It's the sudden stop at the end. (Douglas Adams)-
[url=http://www.violationentertainment.com/misc/ccm]-An eyeful a day is bloody fantastic!-[/url]
[url=http://www.violationentertainment.com/misc/ccm]-An eyeful a day is bloody fantastic!-[/url]
-
primaltheory
- Posts: 623
- Joined: Wed Dec 28, 2005 4:31 am
-
corncobman
- Posts: 304
- Joined: Fri Aug 08, 2003 7:00 am
-
primaltheory
- Posts: 623
- Joined: Wed Dec 28, 2005 4:31 am
-
eepberries
- Posts: 1975
- Joined: Mon Jan 24, 2005 10:14 pm
-
eepberries
- Posts: 1975
- Joined: Mon Jan 24, 2005 10:14 pm
-
corncobman
- Posts: 304
- Joined: Fri Aug 08, 2003 7:00 am
Get an antivirus program and up to date virus definitionsBlueGene wrote:Is there any other ways to fix this? I've heard about this a few days ago, I'm just waiting on microsoft. But it will take a while.
Get some spyware removal tools, such as Spybot Search and Destroy and update them
Disconnect your computer from the internet
Go into safe mode and scan your computer
-It is not the fall that kills you. It's the sudden stop at the end. (Douglas Adams)-
[url=http://www.violationentertainment.com/misc/ccm]-An eyeful a day is bloody fantastic!-[/url]
[url=http://www.violationentertainment.com/misc/ccm]-An eyeful a day is bloody fantastic!-[/url]
-
primaltheory
- Posts: 623
- Joined: Wed Dec 28, 2005 4:31 am
Oh so you're waiting for duke nukem forever to come out?BlueGene wrote:Is there any other ways to fix this? I've heard about this a few days ago, I'm just waiting on microsoft. But it will take a while.
Why not?
[i]Jenny: lol, i'm not changing the whole harddrive directory structure for a mod. Do it proper like other mods please.[/i]
[i]Jenny: lol, i'm not changing the whole harddrive directory structure for a mod. Do it proper like other mods please.[/i]
-
corncobman
- Posts: 304
- Joined: Fri Aug 08, 2003 7:00 am
http://www.hexblog.com/
has a program which patches your computer to be invulnerable to the exploit. Adds an add/remove program entry so you can remove it later when the patch actually comes out.
http://www.hexblog.com/security/files/w ... blog14.exe
and also a file to check whether you are vulnerable
http://www.hexblog.com/security/files/w ... exblog.exe
has a program which patches your computer to be invulnerable to the exploit. Adds an add/remove program entry so you can remove it later when the patch actually comes out.
http://www.hexblog.com/security/files/w ... blog14.exe
and also a file to check whether you are vulnerable
http://www.hexblog.com/security/files/w ... exblog.exe
-It is not the fall that kills you. It's the sudden stop at the end. (Douglas Adams)-
[url=http://www.violationentertainment.com/misc/ccm]-An eyeful a day is bloody fantastic!-[/url]
[url=http://www.violationentertainment.com/misc/ccm]-An eyeful a day is bloody fantastic!-[/url]
Already have Nod32, Spybot, Microsoft AntiSpyware & Ad-Aware.corncobman wrote:
Get an antivirus program and up to date virus definitions
Get some spyware removal tools, such as Spybot Search and Destroy and update them
Disconnect your computer from the internet
Go into safe mode and scan your computer
Yes, but I'm also waiting for you to post some videos of your dad and you street racing.primaltheory wrote: Oh so you're waiting for duke nukem forever to come out?
That should do, thanks.corncobman wrote:http://www.hexblog.com/
has a program which patches your computer to be invulnerable to the exploit. Adds an add/remove program entry so you can remove it later when the patch actually comes out.
http://www.hexblog.com/security/files/w ... blog14.exe
and also a file to check whether you are vulnerable
http://www.hexblog.com/security/files/w ... exblog.exe